Separate Resource Server¶
Django OAuth Toolkit allows to separate the Authentication Server and the Resource Server. Based on the RFC 7662 Django OAuth Toolkit provides a rfc-compliant introspection endpoint. As well the Django OAuth Toolkit allows to verify access tokens by the use of an introspection endpoint.
Setup the Authentication Server¶
Setup the Authentication Server as described in the tutorial.
Create a OAuth2 access token for the Resource Server and add the
introspection
-Scope to the settings.
'SCOPES': {
'read': 'Read scope',
'write': 'Write scope',
'introspection': 'Introspect token scope',
...
},
The Authentication Server will listen for introspection requests.
The endpoint is located within the oauth2_provider.urls
as /introspect/
.
Example Request:
POST /o/introspect/ HTTP/1.1
Host: server.example.com
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer 3yUqsWtwKYKHnfivFcJu
token=uH3Po4KXWP4dsY4zgyxH
Example Response:
HTTP/1.1 200 OK
Content-Type: application/json
{
"active": true,
"client_id": "oUdofn7rfhRtKWbmhyVk",
"username": "jdoe",
"scope": "read write dolphin",
"exp": 1419356238
}
Setup the Resource Server¶
Setup the Resource Server like the Authentication Server as described in the tutorial.
Add RESOURCE_SERVER_INTROSPECTION_URL
and either RESOURCE_SERVER_AUTH_TOKEN
or RESOURCE_SERVER_INTROSPECTION_CREDENTIALS
as a (id,secret)
tuple to your settings.
The Resource Server will try to verify its requests on the Authentication Server.
OAUTH2_PROVIDER = {
...
'RESOURCE_SERVER_INTROSPECTION_URL': 'https://example.org/o/introspect/',
'RESOURCE_SERVER_AUTH_TOKEN': '3yUqsWtwKYKHnfivFcJu', # OR this but not both:
# 'RESOURCE_SERVER_INTROSPECTION_CREDENTIALS': ('rs_client_id','rs_client_secret'),
...
}
RESOURCE_SERVER_INTROSPECTION_URL
defines the introspection endpoint and
RESOURCE_SERVER_AUTH_TOKEN
an authentication token to authenticate against the
Authentication Server.
As allowed by RFC 7662, some external OAuth 2.0 servers support HTTP Basic Authentication.
For these, use:
RESOURCE_SERVER_INTROSPECTION_CREDENTIALS=('client_id','client_secret')
instead
of RESOURCE_SERVER_AUTH_TOKEN
.